Solved OpenVPN NAT in Jail

[mahescho]

I've setup OpenVPN in a jail. My client can connect to the OpenVPN server and I see traffic on the tun0 interface coming in. I know that I need NAT for the IPv4 traffic but I don't know how to configure it. I've tried

nat on $ext_if from $VPN_NET to any -> $ext_ip_B

without success. $ext_ip_B because the system has two different IPs on the external interface. There is only one interface as this is just a server on the internet, no firewall.

How to configure this?

TIA

 

[SirDice]

A standard jail cannot change its network settings or load firewall rules. So this is not going to work from within jail. You may be able to get it to work using VNET/VIMAGE jails. Alternatively, you could do the NAT/firewalling on the host.

 

[mahescho]

A standard jail cannot change its network settings or load firewall rules. So this is not going to work from within jail. You may be able to get it to work using VNET/VIMAGE jails.

I know

Alternatively, you could do the NAT/firewalling on the host.

That's what I want to do, but what I did so far did not work

 

[SirDice]

Do you have gateway_enable="YES" on the host?

 

[mahescho]

Do you have gateway_enable="YES" on the host?

Yes. And to activate it without reboot I did: sysctl net.inet.ip.forwarding=1

 

[SirDice]

Ok, failure to set that would stop routing. Your NAT rule, as basic as it is, looks fine to me. But even if the NAT wasn't working you'd still see packets outgoing on $ext_if, although they would have the 'wrong' source address. Are you able to see the VPN traffic on the outgoing interface? Use tcpdump(8) to have a look at the actual packets.

 

[mahescho]

I've already checked this and did it again right now. There is no traffic on $ext_if with IP's of my VPN net. And as routing is essntial I've doubele checked:

# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1

I think I've not mentioned an important thing, which may be the source of the problem:

The system is a server on the internet with one NIC (vtnet0) which das two public IPs (ipA and ipB) of two different sub nets with two different gateways. The system is also connected by IPv6. For my jails (www, db, vpn) I use "lo0" with RFC1918 addresses and NAT for IPv4. To achieve this I use two routing tables (fibs). May be the two routing tables are the problem ... I've changed my NAT rule to:

nat on $ext_if from $VPN_NET to any -> $ext_if

(ext_if instead of ext_ip_B) without success.

 

[mahescho]

Solution was too simple


nat on $if inet from $VPN_NET to any -> $ipB
pass in on $VPN_IF from any to any


missed the last line ... no "pass" no traffic ...

 

[SirDice]

There is no traffic on $ext_if with IP's of my VPN net.

Just in case the NAT is actually working, run tcpdump(8) and filter on the destination address. For example: tcpdump -ni vtnet0 host www.freebsd.org and port 80 then on a VPN client do: fetch -4 http://www.freebsd.org. If you don't see packets going out there's probably something wrong with your routing. Forwarding is turned on, it's the routing tables you need to double check.

Edit: yes, it helps if you allow the traffic